Slashdot Mirror
Remotely Counting Machines Behind A NAT Box
Overtone writes "Steve Bellovin of AT&T Labs Research has published a paper showing how to remotely count the number of machines hiding behind a NAT box (in IMW 2002, the
Second Internet Measurement Workshop). Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause. Bellovin explains how to change the NAT software to defeat the measurement scheme, but the fix is complicated and unlikely to appear in commercial home gateways anytime soon."
Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause.
There are still providers that limit you to only one computer per connection? Wow. I guess the high competition in my area (GTA) has allowed the customers a little bit more freedom. In fact, my provider will give minor tech support for most routers and hubs.
sin(6cos(r)+5A)
so that you have two firewalls back2back and the other boxes behind it? It's a bit extreme, but worth it if your cable company is composed of jackasses.
Most users just want web access, and this technique doesn't work on proxies.
You can't judge a book by the way it wears its hair.
5 -- Via the traditional finger point, coupled with the ever-popular audible counter increment
4 -- Thermal image detection scan
3 -- Utilize the same finger pointing mentioned in 5, but avoid the audible count as an enhanced privacy measure
2 -- Avoid counting and caring about counting altogether; continue browsing Slashdot
1 -- Call the dude with the NAT box and ask him!
Free tech news & blogging for life -- *nix.org
Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
What about when I put a NAT machine behind a NAT machine? ;-)
This is similar to the paketto suite. That allowed pinging behind a NAT wall.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
"Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."
Yeah, that pretty much sucks. There may be a silver lining, though. The more crap these ISP's pull to push their saavier customers away, the more demand there'll be for an uber geek-friendly ISP to come along. Maybe I'm too optimistic, but tell me it wouldn't be cool for a business to start up in order to cater to those of us that really like to play with networking. "Sure, go ahead and set up a wireless lan in your complex. We'll even let you pay to increase your bandwidth to accomodate all those users! Tell them that for $5 a month, they can each get a mail account or some other fairly interesting service."
Why is it a big deal for some company (broadband provider) whose ToS contract up-front says only X number of machines can use this connection or else additional fees apply to expect their customers to comply with the terms of their contract?
If you want 10 machines to share an internet connection, sign up with a company which doesn't care or charge for how many computers share the connection OR pay for the additional machines for ISPs who do.
It's interesting to note that this would only ID the number of machiens behind NAT boxes -- not those using proxy servers (a la squid). At least from what I read...
-jhon
the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win...
...which will, of course, result in their attempts to find more onerous legal solutions to the problem.
I say - let the games begin!
Everyone will start to cheer when you put on your sailin' shoes.
Well, this sucks. Looks like I'll be flashing my Router soon...
All those single-computer use clauses are evil anyway. A DSL line gives you X bandwidth, so X bandwidth is what you use, regardless of how many machines you multiplex it to. Arbitrary fees for extra machines behind the connection are just more ways to rape^H^H^H^Hmilk the customer.
-ZOD-
The method described decodes packets from the NAT, using the IP header's ID field (which is normally a simple counter) to determine number of nodes behind the NAT. (Find X distinct ID field chains, that is the number of PCs...)
:)
However:
Some hosts take evasive measures. Since the IPid field is used only for fragment reassembly (see below), some Linux kernels use a constant 0 when emitting Path MTU discovery [5] packets, since they cannot be fragmented. Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.
Hurray for Linux...
"Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."
Crap! Now I have to worry about my internet conn
At one time the telephone monopoly measured ringer current to locate
"unauthorized" telephones that customers would (gasp!) install without
consulting Bell. People installed phones anyway.
Once everyone has many devices with IP addresses on their home LAN,
there is no way the ISP's can keep up. Just ignore this.
Fron the paper:
;)
We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Crypt-analyzing the generator may be infeasible in any event. It should be possible to detect a random background to other, linear sources; the current version of the code does not do that.
So take that BSD bashers [ggg]. Of course, a gateway implementation to mask/randomize the IPids would be better - giving you a site-wide fix at once.
First one to market with one wins
Maybe someone can fill us in.
Sigs are bad for your health.
Our technique is based on the observation...that the "id" field in the IP header is generally implemented as a simple counter
Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.
So my FreeBSD will look like thousands of PCs? LOL, that sure would piss the cable company off.
I'll have something intelligent to add one of these days...
`Cuz if it is, strictly speaking, there is only one computer connected to the ISP's network.
I can already imagine conversations like this:
ISP: We'll have to cut your net access! We detected several dozen computers simultaneously accesing the net through our service, while the contract only allows you one!
Customer: Uh, I only have one box, I just love to have 30 windows of VMWARE open at once. How better to show off system performance!
ISP: arglllll
I mean, if the customer says he uses VMware, what's the ISP gonna do? Cut off the line without real evidence? I'd assume there are enough people who'd not mind a lawsuit.
Ash nazg durbatulûk, ash nazg gimbatul
ash nazg thrakatulûk, agh burzum-ishi krimpatul.
http://216.239.57.100/search?q=cache:QZA0opGpxtwC: www.research.att.com/~smb/papers/fnat.pdf+&hl=en&i e=UTF-8
Counting boxes is done using the "id" field in the IP header. The id field is relatively unique to each datagram sent between two hosts and is used to reassemble datagram fragments. This scheme depends on the observation that most IP stacks keep this field unique by just incrementing a counter for each datagram. By examining the id field of each packet coming from a NAT box and finding trends in the values you can tell how many boxes are behind the NAT. Each trend you can identify is another box hiding behind the NAT.
But as the article states:
We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Cryptanalyzing the generator may be infeasible in any event.
So there you go. Write a patch for your IP stack to randomize the id field instead of incrementing it. I couldn't do it, but I imagine someone else can (and will).
Never approach a vast undertaking with a half-vast plan.
It's already here: SpeakEasy.
Their TOS explicitly states:
"Speakeasy believes in the right of the individual to publish information they feel is important to the world via the Internet. Unlike many ISP's, Speakeasy allows customers to run servers (web, mail, etc.) over their Internet connections, use hubs, and share networks in multiple locations."
Let us quick slashdot the server before those "friendly" ISPs get the information and use it to count our machines.
guru in training
After reading the document (something that is rarely done among posters), it appears to me that this wouldn't be TERRIBLY hard to fix. The different machines are recognized by the sequences of IPids that are generated for the packets that are sent out. This field must be unique for each packet with the same protocal, destination, and source. This prevents the NAT from simply mangling the number in the field, making it impossible to track the number of machines.
Someone correct me if I'm wrong, but it seems to me that iptables could be updated to change the IPid of outgoing packets to a single sequence and just keep a table of old ids -> new ids. When necessary, it performs the translation. So basically it acts as a two way filter, packets behind the NAT will all have the correct id, packets beyond it will all appear as a single sequence. Would this work?
In case this gets /.-ed (like it won't =| )...
http://www.public.asu.edu/~jmellen/fnat.pdf. Have at it!!
Producer: NEXT!!
Ralph Wiggum: Chicken necks
There must be some way to make it so that an ISP doing this kind of analysis becomes a DMCA violation of the customer. Any ideas?
It probably annoys the telcos to no end that a connection can be shared - they are more used to the "telephone" model, where there is one line going into the house and if 2 people want to have separate converations then they need two lines.
Contrast that with a high speed connection that can been shared with a bazillion users.
I'm guessing they are not as concerned with people who are running more than one machine at home - the precedent has been set already with telephone extensions, cable TV and satellite TV.
I know of at least one person that is sharing his connection with 5 houses on his block via 802.11, which is a fair chunk of high speed connections that could be sold, and more than likely these are the people they are trying to find.
My prediction - they will either give up once netgear, linksys et al. release rom patches to prevent this, or they will try start charging on a "by data" basis.
This is of course doomed to failure, because the only purpose for a high speed connection is for sharing [censored by the RIAA and MPAA] across the net, and any attempts to change their pricing to this model will be met by massive consumer outcry.
On OpenBSD and FreeBSD, however:
A keyed generator, as is used in OpenBSD and FreeBSD, provides some protection, but one needs to be careful to avoid duplication if the generator is rekeyed periodically.
There's every possibility the ISPs and cable companies already know about this. Why do you think they would tell us? This is the same tired argument used to justify security through obscurity...it's specious.
I say, thank you Steve for making me aware of this. Now I have the option to take action, as do the companies that make these home networking devices.
There are already several simpler ways:
1. Use proxies instead of NAT and proxy transparently if needed. Yeah, I know, none of the P2P download sucker shit as it does not have proxies but such is life.
2. Use OSes with better randomisation of IP IDs. This is a tuneable parameter on most OSes and after you have turned it on the graphs are no longer so pretty.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Even random is random. My nick, too.
According to their FAQ, AT&T lets you connect "four additional computers" to your cable modem.
I'm thinking that even for Slashdot readers, five computers in the house with broadband internet will be sufficient.
Read it here:
Connect Multiple Computers to the AT&T Broadband Internet Service
History does not bode well for the broadband providers on this. If one recalls back in the day, the Telco (MA-Bell/AT&T) user to tack on an additional charge for every actual receiver (that you were forced to rent from them) on the phone line. For those who know POTS (plain old telephone system) an extension can be added but just tapping a wire onto the existing wire in the house. However when MA-bell got broken up in the 70s(?) I believe they did away with this foofah, and you paid for the telephone *service*
CATV (cable) used to be the same way.. you day to pay extra for each TV. And then they stopped doing that and you paid for *service* of the signal.
Now here is where it gets tricky, unlike POTS and analog CATV the line is hot or its not (so to speak), broadband you actually have discrete data you are passing around. This should be the *service*. However it could end up being a pay as you go service (bad for the users, good for the money grubbers) or a limited throughput 'unlimited' service (which is mostly how it is now). Currently I don?t see a metered usage model flying right now and this is why:
Everyone that adopted broadband early wanted it (and could get it) go it. Dialup services are cheap and unlimited. If you start charging for broadband based on usage you aren?t not very attractive to those people you want to take away from dialup who are complacent and will cope with what they have. A metered service is not (in consumers minds) a *NOT* better value than an unmetered service.
As we know there is a mega glut of fiber, broadband should be getting cheaper rather than more expensive.. but that?s another article. Its going to be hard to justify metering people when there is so much capacity unused. (hopefully supply and demand will work out here).
Now this is what is going to happen, when a critical mass of people stop using dialup, and then modems stop coming standard in computers, and then the broadband guys think they have a captive audience they will get everyone in the cartel on board and raise rates and meter usage. What?s worse is that they will claim there is a lack of long haul bandwidth, which probably wont be true, because as the broadband market picks up they will still be doing expansion of the network because of the expectation of even larger amounts of growth.
Conclusion, this are probably good for the short term, *VERY* bad for the long term.
PS the document was spell checked for those with delicate constitutions.
Our expert system has detected that you are sharing a single connection with 4,179 computers.
Sigs are bad for your health.
more google... beyond the PDF
The cable company can't tell when my cable modem is visible on the network.
And now suddenly they're counting machines behind it?
This is sounding like fantasy and science fiction to me.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
I enjoyed telling the cable people to screw off. They charged me in advance of services rendered (!) and everytime a legislated rate decrease was passed, they would somehow have in increase in operating costs that exceeded it (so rates would go up anyway).
But then I went to DirecTV, and it felt good to not be the hostage of the cable company... until I realized I was still a hostage.
I do have DSL, but we finally booted DirecTV. It was just too much money every month. I tried calling customer service to see if I could step down to a more economical package (maybe with the 10-15 channels I actually watch) but they told me I was already at the lowest level (which has seemingly hundreds of channels). The infuriating part: when I called to cancel they said I could switch to a cheaper package with less channels.
But anyway, this is about IP addresses and NAT; coudln't we have a kernel/netfilter module that will resequence all outgoing packets consecutively and reverse on the return?
the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win...
...which will, of course, result in their attempts to find more onerous legal solutions to the problem.
I say - let the games begin!
It's people who want streaming audio and video, or massive file sharing. Power users just want to be able to download the data they need, when they need it, without a long wait. I don't say this to put down people who do streaming - I use it too, sometimes. But a power user probably consumes an order of magnitude less bandwidth than a user who has the connection primarily to do streaming media. Personally, I'm exquisitely happy with my broadband DSL connection, and with my ISP (speakeasy).
:'}
My main worry right now is that Congress will kill my ISP by fiat, and I'll be forced to buy service from a baby bell again.
Why would the telco suddenly be able to impose a different standard on data communications? Just because an AT&T engineer has proposed some (time consuming) method to do something doesn't mean it will be done. A similar attitude about POTS is what got mighty Ma Bell busted lo these many years ago...
Taking this one stumble father, I note that there is only one "computer" attached physically to the Bellsouth DSL line: a little cheap Linksys router, which having a processor & some flash ROM, qualifies as a "computer." Other computers do not connect directly to the DSL line, they connect to that router.
Any telco/ISP that "cracks down" on home networking this way is just plain stupid & needs to go back to the mandatory customer service training workshops! In fact, that's where our dear AT&T enginner needs to be this very afternoon. It's the corporate equivalent of Chinese water torture!
"Obviously, I'm not an IBM computer any more than I'm an ashtray" (Bob Dylan)
This argument is only valid for DSL, however I think the cable companies should be hauled into court for false advertising.
In my experience, when I get DSL I am paying for a particular guaranteed bandwidth to my ISP. How many machines I choose to hook up to that is purely my business, provided I am not running a neighborhood LAN (fair enough) because the contract is per address.
What an ISP does not like is the fact that their "model" of what you should be doing tends to get blown away by multiple machines. They may not like this, but thats too bad. If you are going to promise bandwidth, then that is what you should deliver. If you don't, it's false advertising. It is a bit like the RIAA because they do not want to adopt methods that give them public relations headaches (ie. they do not like admitting their true intentions) such as:
"Garunteed 650kbs (so long as you only use it less than 2hr out of every day)"
As a side note, I remember reading the contract for my ISP stating that excessive Up/Downloading were grounds for termination of service. However there was no definition for this term and nobody at the company seemed to have a good idea of what this was. Put simply, if I did use enough bandwidth downloading Linux Distro's 20 times a week and they terminated me I could sue them. Frankly I am surprised their lawyers allowed that one to get out the door.
Just for your information: Many of those p2p applications support SOCKS 4 + 5 proxies. (Morpheus/Kazaa, WinMX, AG did..)
Well, Duh, of course Random != Unique. But since it's an unsigned short, incrementing it means every 2^16'th packet will have the same id, so universal uniqueness is not an issue.
;p
:)
Besides the patches at grsecurity.net do the same thing, but use their own random number generator (ip_randomid) rather than the kernel-provided one (net_random).
Their patches are better, of course, since they integrate with the kernel proper and provide a kernel option. The point of my post was to emphasise how trivial the change effectively was
Also, anyone patching their kernels with things they got off slashdot has far greater problems than being NAT sniffed
If the cable company calls me up and says, "We have discovered that you have more than one computer on your connection..." My reply, "Oh, shit someone hacked my wireless router." Click. Old7
here's one.
Seems a little arbitrary, but they're small fry. let's go bigger:
here's another.
I think this bit applies to the question at hand (emphasis is mine):
How does this imply that you can't share a DSL connection? OTOH, it explicitly says that sharing a connection is OK.
however, if we look to AT&T DSL TOS, they are somewhat more restrictive:
A little tougher, but it doesn't actually rule out connection-sharing entirely- just requires that AT&T grant you permission, right? So they must have a process for granting the approval, and a list of approved equipment.
Since I'm bored today, I called them up. I pointed the nice lady at their TOS, section 8(a), and asked if she could provide me with a list of AT&T approved equipment, and/or the approval process for home networking. She put me on hold for a bit. When she came back, she told me that AT&T DSL is not the same as AT&T WORLDnet DSL, and i had the wrong phone number- but WORLDnet doesn't allow any kind of connection sharing- and she'd happily transfer me to the REAL AT&T. The second phone monkey had no idea what I was talking about- ditto the 3rd. Neither of them could understand why I would want to ask questions about their TOS if they couldn't even deliver service to my residence. The fourth phone monkey told me that they don't support any kind of multiple connection, and that the "grant you permission" line is in the contract for things like automated security systems that call the police department when someone breaks into your house.
So. Score: SBC +1 (but -1 for their stupid 'frames' patent), AT&T 0. Interesting article, but since I'm on SBC, i won't be changing my NAT settings...
Humpty Dumpty was pushed.
As far as I know, OpenBSD's pf is the only free packet filter that gives you the option to change the IP ID field. It is the "modulate state" command.
pf was designed into Open for 3.0, which would be about 18 months ago, I think. This makes it one of the newest and most recently designed firewalls. (Its a whole other topic of whether its the best, ipfilter has some loyal devotees).
FreeBSD's stack does do a pseudo-random ipid, but of the two firewalls available for FreeBSD (ipfw and ipf) neither rewrites the IPID, as is the case with Linux as far as I know.
So if you have a NAT'd LAN of FreeBSD boxes, don't worry about. If you have an OpenBSD 3.0 or greater firewall, don't worry about it. Otherwise, the technique outlined in the paper will work and the boogeyman is being dispatched to your CO as we speak!
Troll Like a Champion Today
The ISPs could also try checking all the TTLs (time to live) of the packets.
Many routers don't set this value to be one specific value, and multiple computers have multiple TTLs. Thus, it is an excellent indication of multiple computers.
Also, if you happen to be using Linux kernel 2.4, netfilter nat modules happen to change the TTL to one certain value.
--agenthh
I suspect the techniques discussed in that paper have been used for quite a while by AT&T, but they have been rather secretive about it.
About nine months ago I got into a bit of a sticky situation at work. One of our clients was running three PCs behind a NAT we installed. The DSL provider shut them off repeatedly for having "more than one machine per connection"
Mind you, this was AT&T business-class SDSL. Static IP, 768k/768k. They were certainly paying enough for it.
I talked to the ISP. The very rude and condescending rep told me they have software that can detect multiple machines behind a NAT, and that the customer had been warned and disconnected multiple times for it.
(No, we didn't take responsibility, because the customer didn't inform us the contract precluded NAT usage)
I asked the rep how they could detect this. The rep didn't know but said it was something called Option 82. I'm assuming this is DHCP Option 82, Routed Bridge Encapsulation. I don't see where RBE has anything to do with this, unless they were using it to sniff the connection between the NAT and the DSL router.
2. Use OSes with better randomisation of IP IDs.
grsecurity can do this for linux.
Sure, this could be used to count the number of machines behind broadband customers connections. The fact is, though, that it probably won't.
As you know, broadband service providers make money by assuming not everyone is using 100% of their bandwidth all the time. The only way they'll care as to whether you have multiple machines is if you use too much bandwidth. And even then, they'll probably only disconnect you for using too much bandwidth, and not having a shared connection.
I'm sure they won't give up a $50/month source of revenue because Joe has his mom's computer connected to a NAT box. Now, if Joe's mom was running a public FTP server...
if(!toilet_paper) roll.replace(new roll);
Hmmmm this little module lets onw configure how you want the IP header id generatored, among a bunch of other options to hide identify. Why not just work this into iptables, PF, IPF and no worries about NAT ID'ing.
Well, this comment is going to be so far down that most people wont see it, but I'll try it anyways.
The method described is only one method to count hosts behind a NAT box. Just think how much fun your ISP could have if they utilized a passive nmap-like system. Just by analizing the traffic, they can tell what OS created the packets, among other things.
That said, there are ways around this already in the wild. OpenBSD's PacketFilter (PF) has a "modulate state" keyword that would solve you problem nicely. That tells PF to essentially rewrite the packets, primarily to give them the benefit of OpenBSD's random sequence numbers, but it will also stop any other analysis of the packets.
Of course, that still leaves the posibility of them checking your surfing habbits. However, that would be, not only incredibly intrusive, but quite difficult for them to do on a large scale. Besides, if it every happens, and they say they saw your firewall making connections to 12 different websites at the same time, just tell them it was all from your one machine, and there's nothing they can do to refute it.
Of course, I'm not concerned about this in the least. I'm using Earthlink broadband, who happen to care about customer privacy more than any other. I certainly didn't hear of any other ISPs giving the US government the finger when they wanted to install Carnivore.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
If someone is routinely monitoring your IP packets like that, how is it different from routinely monitoring your phone calls? Why doesn't this have to be done by a law enforcement agency, with a warrant in hand? Why isn't this covered under the same legal umbrella that affirms our right to have extension telephones? (You might not remember Bell charging monthly for each phone, available only under lease, but I do.)
We should be allowed to have NAT for the same reason we are allowed to have phones, and if the provider has a problem with that, they need to take a hike. Sniffing for this is unquestionably in bad taste, and it is also a violation of my civil rights.
-fb Everything not expressly forbidden is now mandatory.
Hmm, 99% of my LAN's Internet traffic goes through my caching and filtering web proxy, so it would look like there was only one machine anyway. What little traffic doesn't go through the proxy is probably too scattered to detect a noticible trend. And as someone else mentioned, iptables might have to reassign the IPIDs to prevent collisions anyway. Maybe we'll get random IPIDs like FreeBSD, too :-) In my case, they might be better off looking at TTL, window size, and all the other stuff nmap uses to detect different OSes.
The ocean parts and the meteors come down
Laid out in amber, baby.
We recently discussed this paper here at UNC-CH because one of our graduate students went to IMW. Something that came up was that they didn't actually get any real data for this experiment. So although the paper's content is sound, it should still be verified before it is taken as a feasible approach.
It would be better (compared to randomizing) if the sequence of IPids for a single machine were chosen to masquerade as N independent counting values. This would fool them into thinking that you have N machines connected, when in fact you only have one! They'd only have to be fooled by this technique a couple of times before they gave up the technique entirely.
Well, then suddenly SBC doesn't seem like such a group of bozos. Multiple computers does not necessarily equal higher BW. For me, when my daughter comes home from college, my BW usage spikes. Now if I have 2 computers connected or 1 computer, it doesn't matter, the cause of the BW usage is not a function of the number of computers.
And I don't like your phrase 'bandwith hogs' anyway. Either commit to a level of BW or an amount of data to transfer, or don't bitch about a subset of users using more than 'their share'. To me, it sounds like a fitness club owner complaining about some of the members who actually come in and use the equipment! The nerve! And they stay for hours too!
If you are charged per KB, then charge your users per KB. McDonalds doesn't charge customers on their cholesterol level, they charge customers on the food that they order. I just don't see how multiple computers are the root cause of your problems.
No, I don't trust in god. He'll have to pay up front, like everybody else.
This isn't necessarily directed at you or your ISP, but just an observation about many ISPs.
Your argument is that having multiple machines correlates strongly with high bandwidth usage. I am not going to debate this.
My problem starts when you try to say users shouldn't be using that much bandwidth. When you say that P2P burns bandwidth like popcorn, and you can't support those users.
Here's the thing: I pay for *unlimited* bandwidth. I should be able to saturate my 768/128 pipe 24/7 and no one should be able to complain. That's what my ISP advertised.
Now, if the ISP can't afford to provide unlimited (and they advertised that they would), then they should fix the advertising. Don't cap my bandwidth usage, I pay for unlimited.
I understand that you guys can't afford to allow unlimited access: stop advertising it, then.
Eh, if they really wanted to stop that, they'd just threaten to shut down the people who run their connections maxed out all the time. Sorry to offend people with semi-legitamite reasons for their connections to be maxed out, but it seems to me that p2p is the most likely candidate. It's not that hard for them to include in the terms of service that this sort of behavior is unacceptable.
I can buy someone having their downloads maxed out for short bursts of time; that's what broadband is for, after all. I can also understand having both ways maxed out during bursts of time for something like gaming, but a lot of people leave those p2p programs downloading constantly and uploading to whoever wants their files. -That- is what the ISPs should be cracking down on, not someone sharing their connection between two or three computers so the kids in the family don't have to fight over the internet connection.
Okay - I see a lot of discussion about going to metered usage (not really sure if it's offtopic or not -but I want to comment on all the tangent disucssion on this topic I do see).
It seems to me the trend for most telecom services is away from metered service to flat rate service (or practically flat rate - i.e. where the metered rate is so ridiculously low that maximum monthly metered usage is reasonable for those who truly use it). Interesting thing about internet connections - they are starting off as flat rate - and everyone predicts they'll go to metered service. The additional benefit of flat rate pricing is it's very easy and less costly to implement for the service provider and provides simplicity to the end user.
One may use the argument that voice connections monopolize the connection and thus it's not easily sharable - but I just argue that voice connections use longer and larger packets...the behavior is the same of any other data network - only one person can talk at any time....computers just do this faster to appear like there is simultaneous use.
So Why would there be any difference in the pricing models or their future trends? Even cell phones are rapidly approaching the point where "flat rate" usage is becoming the norm (how many people actually exceed the 1200 minutes (not including promotionall off peak) in most of the big companies $80 plans? and that price point is dropping monthly). As a matter of fact, most of the companies make money banking on the fact that the avg user uses far less than the allotted amount and thus their actual meter charge is very high. At critical masses, they gain the benefits of flat pricing (reduced cost in terms of monitoring and billing complexity) as well as taking advantage of user's tendancies to use less than they actualy _think_ they need (thus inflating the price and margin per minute). Ensure you baseline costs are covered, and everything else is gravy. Find a way to squeeze down idle capacity and voila - profitable business (hmmm....sounds like that's what supply chain mgmt is about, no?)
Anyways, I'll go against the grain and posit the following:
1) Flat rate pricing will continue to be the norm.
2) ISPs will eventually be talked out of the restrictions on the number of "computers" (esp as smart appliances come online - since consumers won't be likely to use those portions of the service if there's a charge per device).
3) They will find another way to make money - value added services for instance (the equivalents of caller id - but in the internet, security monitoring, unwanted spam blocking, etc).
Anyways - just some rambling thoughts from someone who can't figure out why isp's aren't making money hand over fist right now;)
If all you want is web access, why bother with NAT at all? It is an ugly hack, really. You can just set up a proxy server (squid or wwwoffle) and configure browsers to use that. You'll probably get better performance, too, since the proxy server can do caching. Or you could use NAT for ssh connections and an explicit proxy server for http/https/ftp.
OK, I know there are some NATting products which do caching internally, but it's not as clean as just configuring the web browsers to talk directly to a proxy, and it's more likely to break stuff. (At least, some 'transparent' web caches are horribly broken.)
-- Ed Avis ed@membled.com
Why are you charging per IP? Charge these people by the traffic they use. I also fail to understand how having two machines behind a NAT can use twice as much bandwidth. I would assume you cap the bandwidth already, but if not-- a single machine with a 100MBps ethernet card could saturate a whole stack o' T1 connections. There is no need for more than one box running 24/7 to eat all of your bandwidth and then some.
I understand the need to make money-- you are a business after all. But don't charge based on how people use the bits after they get there (whether they all go to the same PC or get split up by a router)-- charge them based on how many bits they use. If they want extra IPs for $12, that's cool too. But don't enforce it on everyone. That's a massive waste of IP space.
I could never understand how could ISPs enforce a 'no home network' rule. Technically in a NAT setup there is only one computer (the NAT box) connected to the provider. Packets never travel directly from any other computer to the ISP. Now the fact that the NAT box may be "delegated" some traffic from another machine in the home network is none of the ISPs concern, i.e. they should have no control of what I do to my bits once they reach the only machine connected to them, whether I save those bits, send them to /dev/null or change headers and send them to another box.